Trojan horse version of TCP Wrappers

The original release of this advisory contained an error. Please take note of the changes mentioned in the revision history section at the end of this file.

The CERT Coordination Center has received confirmation that some copies of the source code for the TCP Wrappers tool (tcpd) were modified by an intruder and contain a Trojan horse.

We strongly encourage sites running the TCP Wrappers tool to immediately verify the integrity of their distribution.

I. Description

TCP Wrappers is a tool commonly used on Unix systems to monitor and filter connections to network services.

The CERT Coordination Center has received confirmation that some copies of the file tcp_wrappers_7.6.tar.gz have been modified by an intruder and contain a Trojan horse. This file contains the source code for TCP Wrappers version 7.6. This Trojan horse
appears to have been made available on a number of FTP servers since Thursday, January 21, 1999 at 06:16:00 GMT. Copies downloaded prior to this time are not affected by this particular trojan horse.

The Trojan horse version of TCP Wrappers provides root access to intruders initiating connections which have a source port of 421. Additionally, upon compilation, this Trojan horse version sends email to an external address. This email includes
information identifying the site and the account that compiled the program. Specifically, the program sends information obtained from running the commands 'whoami' and 'uname -a'.

II. Impact

An intruder can gain unauthorized root access to any host running this Trojan horse version of TCP Wrappers.

Note: If you have already installed a Trojan horse version of TCP Wrappers, intruders can identify your site using information contained in this advisory. Please read the "Solution" section and take appropriate action to protect your site as soon as
possible.

III. Solution

We encourage sites who downloaded a copy of the TCP Wrapper after Thursday, January 21, 1999 at 06:16:00 GMT to verify the authenticity of their TCP Wrapper distribution, regardless of where it was obtained.

You can use the following MD5 checksums to verify the integrity of your TCP Wrappers distribution:

Appendix A provides checksums for the individual files within the distribution.

It is not sufficient to rely on the timestamps of the file when trying to determine whether or not you have a copy of the Trojan horse version.

Additionally, the file tcp_wrappers_7.6.tar.gz is distributed with the detached PGP signature tcp_wrappers_7.6.tar.gz.sig.

Wietse Venema is the author and maintainer of the TCP Wrappers distribution.You can verify the integrity and authenticity of your distribution with Wietse Venema's PGP public key. We have included a copy of his PGP public key below. Note that the
Trojan horse version was not signed, and that Wietse Venema's PGP key was not compromised in any way.

As a workaround, until you are able to verify your copies of TCP Wrappers, you can block inbound connections with a source port of 421 at your network perimeter. However, it is possible that some operating systems or software may use port 421 in
legitimate connections. Thus, it is possible that some legitimate connections might be blocked.

Where to Get TCP Wrappers

Wietse Venema has moved the primary FTP archive for TCP Wrapper source to a different location. The primary archive is now located at

Sites that mirror the TCP Wrapper source code are encouraged to update their mirroring procedures.

Wietse Venema expresses his gratitude to his former employer, Eindhoven University, for making possible the development and distribution of the TCP Wrapper software, and appreciates the support from system administrators of the department of
mathematics and computing science.

Additionally, we have verified that the distribution of TCP Wrappers offered by the CERT Coordination Center at ftp.cert.org was not involved in this activity. TCP Wrappers is available from our FTP site at

The CERT Coordination Center wishes to thank Wietse Venema for his assistance in resolving this problem and Roy Arends of CERT-NL for valuable input in constructing this advisory. Additionally, we would like to thank Jochen Bauer of the Institute for
Theoretical Physics at the University of Stuttgart for identifying an error in an earlier version of this advisory.

Wietse Venema expresses his appreciation to Andrew Brown of Crossbar Security, Inc. for noticing that the TCP Wrapper source code had been tampered with, and for informing the author of the incident.

Copyright 1999 Carnegie Mellon University.

Revision History

Fri January 22, 1999 Modified to reflect that the Trojan horse
provides root access to intruders initiating
connections from source port of 421 as opposed
to a destination port of 421.
Added section indicating that the primary FTP
archive for TCP Wrapper source has changed.
Added an MD5 checksum and size for the correct
version of the file tcp_wrappers_7.6.tar.
Added MD5 checksums for individual files
within the TCP Wrapper distribution.